From 49c0a7b4d4ec5ddef7f9648be72ccacb15c28840 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 25 Sep 2017 17:11:46 +1000
Subject: [PATCH] ipa-cacert-manage: handle alternative tracking request CA
 name

For an externally-signed CA, if an earlier run of ipa-cacert-manage
was interrupted, the CA name in the IPA CA tracking request may have
been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to
"dogtag-ipa-ca-renew-agent" at the end of the CSR generation
procedure).  `ipa-cacert-manage renew` currently only looks for a
tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this
scenario the program fails with message "CA certificate is not
tracked by certmonger".

To handle this scenario, if the IPA CA tracking request is not
found, try once again but with the "dogtag-ipa-ca-renew-agent-renew"
CA name.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/install/ipa_cacert_manage.py | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index bff1678b0..f764638c7 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -148,20 +148,30 @@ class CACertManage(admintool.AdminTool):
 
         api.Backend.ldap2.connect(bind_pw=password)
 
+    def _get_ca_request_id(self, ca_name):
+        """Lookup tracking request for IPA CA, using given ca-name."""
+        criteria = {
+            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
+            'cert-nickname': self.cert_nickname,
+            'ca-name': ca_name,
+        }
+        return certmonger.get_request_id(criteria)
+
     def renew(self):
         ca = cainstance.CAInstance(api.env.realm)
         if not ca.is_configured():
             raise admintool.ScriptError("CA is not configured on this system")
 
-        criteria = {
-            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': self.cert_nickname,
-            'ca-name': 'dogtag-ipa-ca-renew-agent',
-        }
-        self.request_id = certmonger.get_request_id(criteria)
+        self.request_id = self._get_ca_request_id('dogtag-ipa-ca-renew-agent')
         if self.request_id is None:
-            raise admintool.ScriptError(
-                "CA certificate is not tracked by certmonger")
+            # if external CA renewal was interrupted, the request may have
+            # been left with the "dogtag-ipa-ca-renew-agent-reuse" CA;
+            # look for it too
+            self.request_id = \
+                self._get_ca_request_id('dogtag-ipa-ca-renew-agent-reuse')
+            if self.request_id is None:
+                raise admintool.ScriptError(
+                    "CA certificate is not tracked by certmonger")
         logger.debug(
             "Found certmonger request id %r", self.request_id)